We cannot accept a plugin that includes an entire other plugin, wholesale, inside it.

You have CMB2, complete with plugin headers.

While we understand the use of framework (or boilerplate) plugins, and encourage the use of common libraries, full blown plugins should never be included inside another, as it causes multiple potential issues, such as function/attribute conflicts, and also opens your code up for issues should the included plugin be closed for a security hole.

The proper way to include another plugin would be to require it in your own. You can use the hook is_plugin_active() to check to see if the plugin is, indeed, installed and active.

Some libraries (like Titan Framework) have cleverly included their own requirement checker. Other libraries (like CMB2) have an alternate install version that checks for the presence of an updated version of their full plugin. Sadly there isn't a one PERFECT answer for including a library that happens to be a plugin.

Either way, an entire copy of a plugin that already exists in the repository is not permitted.

----

Please make sure you've addressed ALL issues brought up in this email. When you've corrected your code, reply to this email with the updated code attached as a zip, or provide a link to the new code for us to review. If you have questions, concerns, or need clarification, please reply to this email and just ask us.

(While we have tried to make this review as exhaustive as possible we, like you, are humans and may have missed things. As such, we will re-review the ENTIRE plugin when you send it back to us. We appreciate your patience and understanding in this.)

]]>ResultPresshttps://wordpress.org/plugins/resultpress/#post-99892
Thu, 19 May 2016 18:29:05 +0000raselahmed799892@http://wordpress.org/plugins/Quick Quizhttps://wordpress.org/plugins/quick-quiz/#post-93025
Sun, 03 Jan 2016 17:33:16 +0000Ipstenu (Mika Epstein)93025@http://wordpress.org/plugins/Emailed Author: There are issues with your plugin code. Please read this ENTIRE email, address all listed issues, and reply to this email with your corrected code attached. It is required for you to read and reply to these emails, and failure to do so will result in your plugin being rejected.

## Please sanitize, escape, and validate your POST calls

When you include POST/GET/REQUEST calls in your plugin, it's important to sanitize, validate, and escape them.

All instances where $_POST data is inserted into the database, or into a file, MUST be properly sanitized for security. This also holds true for $_REQUEST calls that are processed. In addition, by sanitizing your POST data when used to make action calls or URL redirects, you will lessen the possibility of XSS vulnerabilities. You should never have a raw POST call inserted into the database, even by a update function, and even with a prepare() call.

In addition to sanitization, you should validate all your calls. If a $_POST call should only be a number, ensure it's an int() before you pass it through anything. Even if you're sanitizing or using WordPress functions to ensure things are safe, we ask you please validate for sanity's sake. Any time you are adding data to the database, it should be the right data.

Similarly, when you're outputting data, make sure to escape it properly, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.

In all cases, using stripslashes is not enough. You need to use the correct methods associated with the type of content you're processing. The ultimate goal is that you should ensure that invalid and unsafe data is NEVER processed or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Direct file access is when someone directly queries your file. This can be done by simply entering the complete path to the file in the URL bar of the browser but can also be done by doing a POST request directly to the file. For files that only contain a PHP class the risk of something funky happening when directly accessed is pretty small. For files that contain procedural code, functions and function calls, the chance of security risks is a lot bigger.

You can avoid this by putting this code at the top of all php files:

if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

----

Please make sure you've addressed ALL issues brought up in this email. When you've corrected your code, reply to this email with the updated code attached as a zip, or provide a link to the new code for us to review. If you have questions, concerns, or need clarification, please reply to this email and just ask us.

Either you did not include a direct link to your code with your submission, OR the link you provided was invalid/inaccessible. Could you please reply with a link so the plugin can be downloaded? Alternately you can reply to this and attach your .zip or .rar file.

Note: Please DO NOT just send the same link without verifying it works for someone not logged in to your system. We probably had issues getting your site to load, so sending the same link will likely get you the same reply.

If your plugin is not complete, and you need a place to version control your code while you work on it, you can use GitHub to safely host your code while you're developing. We do not accept incomplete/non-functional plugins.

Please reply with 7 days. If a reply is not received the submission will be rejected and you will have to submit the plugin again, with code, should you want your plugin hosted.

Thanks.

]]>WpCues Basic Quizhttps://wordpress.org/plugins/wpcues-basic-quiz/#post-79091
Thu, 12 Mar 2015 15:55:09 +0000wpcues79091@http://wordpress.org/plugins/Very Simple Quizhttps://wordpress.org/plugins/very-simple-quiz/#post-72219
Tue, 16 Sep 2014 20:07:43 +0000Brijesh Mishra72219@http://wordpress.org/plugins/Easy Quiz WP Exam Testinghttps://wordpress.org/plugins/easy-quiz-wp-exam-testing/#post-68028
Wed, 28 May 2014 19:47:17 +0000CustomWPNinjas68028@http://wordpress.org/plugins/Chained Quizhttps://wordpress.org/plugins/chained-quiz/#post-61948
Fri, 20 Dec 2013 16:37:22 +0000prasunsen61948@http://wordpress.org/plugins/Exam Matrixhttps://wordpress.org/plugins/exam-matrix/#post-61856
Wed, 18 Dec 2013 03:07:47 +0000Ipstenu (Mika Epstein)61856@http://wordpress.org/plugins/Emailed Author: Including wp-config.php, wp-blog-header.php, wp-load.php, or pretty much any other WordPress core file that you have to call directly via an include is not a good idea and we cannot approve a plugin that does so unless it has a very good reason to load the file(s). It is prone to failure since not all WordPress installs have the exact same file structure.

Usually plugins will include wp-config.php or wp-load.php in order to gain access to core WordPress functions, but there are much better ways to do this.

It's best if you tie your processing functions (the ones that need but don't have access to core functions) into an action hook, such as "init" or "admin_init".

When you've corrected your code, reply to this email with the updated code attached, or provide a link to the new code.

]]>Exam Matrixhttps://wordpress.org/plugins/exam-matrix/#post-61833
Tue, 17 Dec 2013 17:12:50 +0000Udit Rawat61833@http://wordpress.org/plugins/Quiz And Survey Master (Formerly Quiz Master Next)https://wordpress.org/plugins/quiz-master-next/#post-58011
Thu, 05 Sep 2013 03:39:11 +0000Frank Corso58011@http://wordpress.org/plugins/Easy Quizhttps://wordpress.org/plugins/easy-quiz/#post-43000
Mon, 10 Sep 2012 16:25:22 +0000Ipstenu (Mika Epstein)43000@http://wordpress.org/plugins/Emailed Author: WordPress includes its own version of jquery, which has been rigorously tested with WP and many of the most common plugins. In order to provide the best compatibility and experience for our users, we ask that you not package your own (especially not an older version) and instead use wp_enqueue_script() to pull in WordPress’s version.

Keep in mind: Offloading the default jquery and other scripts to Google is similarly disallowed. If your code doesn't work with the built-in jQuery, it's most likely a noconflict issue. If you can't guess, we -really- want you to use our jquery, and if you can't, we need to know why so we can fix things for everyone.

When you've corrected your code, reply to this email with the updated code attached, or provide a link to the new code.